Skip to main content
Cisco Meraki

Activation Lock for Apple Devices

Activation Lock is a security feature on Apple devices which prompts for Apple ID credentials after a device is factory reset. This makes it difficult for someone to use or sell an Apple device if it is lost or stolen. 

 

Systems Manager can manage Activation Lock state on Apple devices. This functionality requires supervision to be enabled on the target device.  If an Apple device is supervised, administrators have the following capabilities:

  • Allow/Prevent Activation Lock
  • Force enable MDM Activation Lock (also requires automated device enrollment via Apple's Device Enrollment Program)
  • Clear the Activation Lock state remotely

Allow Activation Lock

End users can enable Activation Lock when signing into Find My iPhone/iPad on the device with their Apple ID credentials.  However, this ability is automatically disabled if the device is supervised at the time of enrollment. 

 

To allow end users to enable Activation Lock with Find My iPhone:

  1. Go to Manage > Settings 
  2. Create a "Privacy and Lock" configuration profile 
  3. Check the box for "Allow Activation Lock"
  4. Scope the configuration profile to the desired tags and save
    clipboard_e7c2449b76b409954f7f48e6b0f6b497e.png 

Warning: For devices enrolled with DEP before August 12, 2019, "Allow Activation Lock" may have been enabled by default. If Activation Lock is enabled after wiping a device, try one of the following steps:

Enable MDM Activation Lock

When a supervised Apple device is enrolled using automated device enrollment (DEP), then Systems Manager can force enable Activation Lock using the Apple ID of an Apple Business Manager or Apple School Manager administrator.  This method provides administrators with the added reassurance that they can reactivate a device with known credentials if it is wiped while Activation Lock is enabled. 

 

To enable MDM Activation Lock automatically at the time of DEP enrollment:

  1. Go to Manage > Settings 
  2. Create a "Privacy and Lock" configuration profile 
  3. Check the box for "Allow MDM Activation Lock"
  4. Scope the configuration profile to the desired tags and save

clipboard_e39e8787f0105d87179a6964cb2b2160a.png

 

MDM Activation Lock can also be enabled on a per device basis for DEP-enrolled devices.  Go to the Systems Manager > Devices list and click on the target device to access its device details.  Under the MDM Commands section, the Enable Activation Lock option will send a command to Apple to enable Activation Lock on the device.  

clipboard_e2030e2b88370b5c636b3fef0840e555c.png

Warning: For devices enrolled with DEP before August 12, 2019, "Allow MDM Activation Lock" may have been enabled by default. If Activation Lock is enabled after wiping a device, try one of the following steps:

  • Enter Apple ID username and password of the linked Apple Business Manager or Apple School Manager administrator.
  • Use an Activation Lock bypass method

Checking Activation Lock Status

Quickly checking all devices' current Activation Lock state is easy in Systems Manager. Go to the Systems Manager > Devices list and add the column (+) for Activation Lock: 

Screen Shot 2019-06-10 at 1.11.31 PM.png

Activation Lock status can also be viewed for a specific device on the device details page under the Management section.  The two statuses are:

  • Activation Lock - Activation Lock status if enabled via Find my iPhone/iPad on the device. If status is Enabled, Activation Lock may be linked to the end user's Apple ID.  
  • MDM Activation Lock - Activation Lock status if enabled via Systems Manager command.  If status is Enabled, Activation Lock may be linked to the Apple ID of Apple Business Manager or Apple School Manager administrator account.

clipboard_efda19c98adc01cd7bb581eae19bcfd04.png

Bypass Activation Lock

Systems Manager has a feature called Activation Lock Bypass to circumvent the Apple Activation Lock. This method utilizes unique "bypass codes" that are created when Activation Lock is enabled; each code is stored in Systems Manager.  The bypass codes can be used to authorize clearing Activation Lock on a device in situations where the linked Apple ID credentials are unknown. Bypass Activation Lock can be performed on a single device at a time, or for all enrolled devices at once. 

Prerequisites 

Bypassing Activation Lock requires that devices meet a few prerequisites. To remotely bypass Activation Lock, the following criteria must be met:

  • The target device must be enrolled in a Systems Manager network
  • The target device is running iOS/iPadOS/tvOS 7.1+ or macOS 10.15+ with a T2 chip (full macOS requirements here)
  • The target device must be supervised, using Apple Configurator or Apple's DEP 
  • Activation Lock was enabled via MDM or Find my iPhone/iPad on the target device

Bypass Activation Lock - Single Device


Once the prerequisites are met, the Activation Lock Bypass tools will appear under the MDM commands section of the device details page.

Note: The device must be supervised and enrolled in Systems Manager prior to Find my iPad/iPhone being enabled.

clipboard_e1247955f7789602851d26b858b885a09.png

 

The Clear Activation Lock command automatically releases the device from an Activation Locked state using the last known bypass code(s). It may be necessary to tap Back on the device before being able to proceed with activation if the device is already factory reset.

 

The Show bypass code command reveals the unique activation lock bypass code received by Cisco Meraki from Apple. If the device has already been factory reset and reactivated, at the Activate iPhone/iPad screen, administrators can manually enter the bypass code (without dashes) in the password field and leave the Apple ID field blank

 

 

clipboard_ebcbd7b3bed76d626f1a2e14c52ea0a48.png

 

Bypass Activation Lock - In Bulk

If Activation Lock is enabled on multiple devices, and the devices meet all of the prerequisites, Systems Manager can attempt to bypass Activation Lock for all target devices at once. Click the checkbox to select devices in Systems Manager > Devices. Then choose Command > Bypass Activation Lock

massal.png

Only devices that meet the prerequisites and currently have Activation Lock enabled will be attempted:

Screen Shot 2019-06-10 at 1.18.02 PM.png

activationlock-yea.png

Note: Mass Bypass commands are enqueued within Meraki Systems Manager and then sent to Apple. A "Status: Success" on this modal means that the job was successfully enqueued to be bypassed in Meraki Systems Manager. The requests processing between Meraki and Apple may take several minutes after this, depending on the number of devices you are attempting to bypass. Check back on the devices list in a few minutes to confirm that Activation Lock status changes from Enabled to Disabled. If you are having a problem with a particular device, try "Bypass Activation Lock - Single Device" to view any errors on the bypass attempt returned from Apple. 

Troubleshooting Bypass Activation Lock

In the unfortunate event where Systems Manager is unable to bypass an Activation Lock we suggest reaching out to Apple Enterprise Support as they have dedicated support options to bypass the Activation Lock. The best Meraki can do is try with the Bypass Activation Lock command or manually try to enter the bypass code for the Apple ID password. When these do not work we need to loop in Apple for assistance to unlock the Activation Lock on Apple's servers. You can also unlock a single device by signing in with the Apple ID. 

  • Was this article helpful?